programming4us
programming4us
DESKTOP

Windows Server 2008 R2 : Active Directory federation services (part 3) - Install Web agent for claims aware Web application, Configure ADFS certificates

6/16/2014 4:16:55 AM

2.2 Install Web agent for claims aware Web application

The next task we need to complete when setting up ADFS is to configure our Web application to support claims-based authentication. This is done by adding the ADFS Web agent. The Web agent comes in two forms:

  • Claims-Aware Agent—The claims-aware agent is used for applications that support claims-based authentication natively. If your Web application has been developed to support claims authentication, you should install this agent.

  • Windows Token-based Agent—The Windows token agent is used to support applications that are not natively capable of supporting claims-based authentication. Using the Windows token-based agent, traditional Windows-based authentication Web sites can be set up to work with ADFS. If you are using a Windows token agent, you will want to set up the ADFS server prior to installing the Web agent as you will be asked to specify the name of the ADFS server when adding the Web agent role service.

To install the Web agent, perform the following tasks:

  1. Log on to the Web application server and open Server Manager.

  2. Select the Roles node, then click the Add Roles link in the middle pane.

  3. Click Next to begin.

  4. Select the Active Directory Federation Services role and click Next.

  5. On the Introduction page, click Next.

  6. Select the Claims-aware Agent (see Figure 7), then click Next.

    Image

    Figure 7 Claims-aware Agent Role Service.

  7. On the Confirmation page, click Install to install the Web agent.

  8. After the installation completes, click Close.

2.3 Configure ADFS certificates

Now that we have installed all of the ADFS components, we need to ensure that all proper components trust the correct certificate chains or single certificates since we have used self-signed certificates in this example deployment. Some of the following steps would be unnecessary in a production deployment where a trust CA was used. Complete the following steps to complete the certificate setup process for ADFS.

The first step is to create a self-signed server authentication certificate for the Web application server (web1.extranet.syngress.net). If you remember, the server authentication certificates for both ADFS servers were created when adding the role to each of those servers. To create the server authentication certificate for the Web server, perform the following tasks:

  1. Open Server Manager.

  2. Select the node Roles | Web Server (IIS) | Internet Information Services (IIS) Manager.

  3. In the middle pane, select the Web server node (WEB1) and then open the Server Certificates option (see Figure 8).

    Image

    Figure 8 Web Server Configuration options.

  4. In the right Actions pane, click the link to Create Self-Signed Certificate (see Figure 9).

    Image

    Figure 9 Create a new Self-Signed Certificate.

  5. In the dialog box requesting a friendly name, enter web1 self signed, then click OK.

  6. Select the Default Website (or Web site hosting your claims aware application) in the middle pane of the IIS Management console.

  7. Click the Bindings link in the right Action pane.

  8. Click Add to create a new binding in the Site Bindings window.

  9. Select a type of https and select the self-signed certificate you just created (see Figure 10), then click OK.

    Image

    Figure 10 Add SSL Binding to Web application.

  10. Open the SSL settings of the Web site and choose the options to Require SSL and to Accept client certificates.

We now need to export the server authentication certificate and the token-signing certificate from the ADFS server in the extranet so that it can be imported to the trusted certificates store on the Web server. Additionally, we need to export the token-signing certificate from the ADFS server on the internal LAN (dc1.syngress.com). This certificate will be used while configuring the ADFS servers.

To export the token-signing certificate from the internal LAN ADFS server (dc1.syngress.com), perform the following tasks:

  1. Log on to the internal ADFS server (dc1.syngress.com).

  2. Open Server Manager.

  3. Expand the node Roles | Active Directory Federation Services.

  4. Right-click on the Federation Service node and choose Properties.

  5. From the General tab, click the View button from the Token-signing Certificate section of the window (see Figure 11).

    Image

    Figure 11 Federation Service properties.

  6. Select the Details tab from the Certificate window and click Copy to file (see Figure 12).

    Image

    Figure 12 Certificate properties.

  7. Click Next to begin the Certificate Export Wizard.

  8. Select the No, do not export the private key option and click Next.

  9. Accept the default export format of DER encoded binary X.509 (.CER), then click Next.

  10. Enter a path and filename to export the certificate, then click Next.

  11. Click Finish to export the certificate. You should receive a confirmation dialog informing you that the export was successful.

Copy the certificate file to the extranet ADFS server (dc2.extranet.syngress.net) for use during ADFS setup.

To export the server authentication certificate from the extranet ADFS server, perform the following tasks:

  1. Log on to the extranet ADFS server (dc2.extranet.syngress.net) and open Server Manager.

  2. Select the node Roles | Web Server (IIS) | Internet Information Services (IIS) Manager.

  3. In the middle pane, select the Web server node (DC2) and then open the Server Certificates option.

  4. In the middle pane, right-click the dc2.extranet.syngress.net certificate and choose Export. Enter a patch to save the certificate and a password to protect the private key (see Figure 13), then click OK.

    Image

    Figure 13 Exporting a Server Certificate.

You now need to copy the certificate to the Web server (Web1). We will then import the certificate to the computer's trusted certificate store. After copying the certificate to the Web server, perform the following tasks:

  1. Open a new mmc console by clicking Start | Run and typing mmc and then clicking the OK button.

  2. You now need to add the certificates snap-in by clicking File | Add/Remove Snap-in.

  3. Select the Certificates snap-in and choose Add. When prompted for the type of account to manage certificates, select Computer Account and then click Next.

  4. Select Local Computer for the computer to manage, then click Finish.

  5. Click OK to close the add/remove snap-ins window.

  6. Expand the Certificates node, then right-click on the Trusted Root Certificate Authorities node and choose All Tasks | Import.

  7. Click Next to start the Certificate Import Wizard.

  8. Enter the path and file name of the exported server certificate from the extranet ADFS server (dc2.extranet.syngress.net) as seen in Figure 14; then click Next.

    Image

    Figure 14 Import Certificate Wizard.

  9. Enter the password you previously assigned to protect the certificate's private key, then click Next.

  10. Ensure that the import location Trusted Root Certificate Authorities is selected and click Next.

  11. Click Finish to import the certificate. You should receive a confirmation dialog box that the import was successful.
Other  
  •  Windows 8 : Administering Windows Networking - Troubleshooting networking (part 3) - Using the network troubleshooters, Using command-line tools
  •  Windows 8 : Administering Windows Networking - Troubleshooting networking (part 2) - View ing Windows 8 network settings
  •  Windows 8 : Administering Windows Networking - Troubleshooting networking (part 1) - Updating the Task Manager view for networking
  •  Windows Server 2008 and Windows Vista : Troubleshooting GPOs - Group Policy Troubleshooting Essentials
    •
  •  Windows Server 2008 and Windows Vista : Creating and Using the ADMX Central Store
    •
  •  Windows Server 2008 and Windows Vista : Migrating .adm Templates to ADMX Files
    •
  •  Windows Server 2008 and Windows Vista : ADMX Files,Default ADMX Files, Using Both .adm Templates and ADMX Files
  •  Windows 8 : Configuring networking (part 7) - Managing network settings - Managing a wireless network
  •  Windows 8 : Configuring networking (part 6) - Managing network settings - Adding a second default gateway,Connecting to a wireless network
  •  Windows 8 : Configuring networking (part 5) - Managing network settings - Understanding the dual TCP/IP stack in Windows 8, Configuring name resolution
    •
     
    Video
    PS4 game trailer XBox One game trailer
    WiiU game trailer 3ds game trailer
    Top 10 Video Game
    -   Minecraft Mods - MAD PACK #10 'NETHER DOOM!' with Vikkstar & Pete (Minecraft Mod - Mad Pack 2)
    -   Minecraft Mods - MAD PACK #9 'KING SLIME!' with Vikkstar & Pete (Minecraft Mod - Mad Pack 2)
    -   Minecraft Mods - MAD PACK #2 'LAVA LOBBERS!' with Vikkstar & Pete (Minecraft Mod - Mad Pack 2)
    -   Minecraft Mods - MAD PACK #3 'OBSIDIAN LONGSWORD!' with Vikkstar & Pete (Minecraft Mod - Mad Pack 2)
    -   Total War: Warhammer [PC] Demigryph Trailer
    -   Minecraft | MINIONS MOVIE MOD! (Despicable Me, Minions Movie)
    -   Minecraft | Crazy Craft 3.0 - Ep 3! "TITANS ATTACK"
    -   Minecraft | Crazy Craft 3.0 - Ep 2! "THIEVING FROM THE CRAZIES"
    -   Minecraft | MORPH HIDE AND SEEK - Minions Despicable Me Mod
    -   Minecraft | Dream Craft - Star Wars Modded Survival Ep 92 "IS JOE DEAD?!"
    -   Minecraft | Dream Craft - Star Wars Modded Survival Ep 93 "JEDI STRIKE BACK"
    -   Minecraft | Dream Craft - Star Wars Modded Survival Ep 94 "TATOOINE PLANET DESTRUCTION"
    -   Minecraft | Dream Craft - Star Wars Modded Survival Ep 95 "TATOOINE CAPTIVES"
    -   Hitman [PS4/XOne/PC] Alpha Gameplay Trailer
    -   Satellite Reign [PC] Release Date Trailer
    Game of War | Kate Upton Commercial
    programming4us
     
    		 
    		programming4us